California Enacts GDPR-Like Privacy Changes

On the heels of Colorado’s new cybersecurity legislation, California has now announced that it has enacted the California Consumer Privacy Act of 2018. The legislation provides residents of California the right to:

be informed about the personal information that is collected about them;

be informed whether their information is sold to third-parties and who those third-parties are;

limit the sale of their personal information to third-parties;

be provided with access to their personal information; and

be provided with the right to delete their personal information.

Importantly, the new law adds the following categories of information to the definition of personal information:

records of personal property, products, or services, and “consuming histories or tendencies”;

biometric data;

clickstream and “other electronic network activity information”;

geolocation data;

consumer sensory information;

professional or employment-related information;

educational information not publicly available; and

“inferences drawn” from personal information.

“Personal information” does not include publicly available information and consumer information that is “de-identified.”

Consistent with the FTC’s “Start With Security” guidance, the law prohibits the collection of information that is not “reasonably necessary.”

The Act provides California’s increased control of their personal information, including the right to know categories information collected and with whom it shared. It provides consumers the right to opt-out of the transfer of their information and requires that consumer be provided with meaningful choices before their information is shared. Children under the age of sixteen must opt-in.

The law will directly impact the manner by which marketers collect, store, disseminate and otherwise utilize consumer data. It mandates the development and implementation of enhanced privacy policies and disclosures, and internal processes that address consumer requests regarding the use of data, including the sale and deletion thereof.

Business are prohibited from discriminating against consumers for exercising their rights by, without limitation, refusing to make available products or services. Financial incentives may be acceptable so long as they are not “unjust, unreasonable, coercive, or usurious.”

Not unlike Colorado’s cybersecurity legislation, third-party management controls are required, including responsible contract provisions and the diligent vetting of the data use practices thereof.

The Act is reminiscent of the European Union’s General Data Protection Regulation. It will be enforced by the Attorney General and by private right of action. State AG enforcement carries stiff penalties of up to $7,500 per violation.

The new law will be effective as of January 1, 2020. You can see the new legislation and various exceptions, here.

Search

About mThink

mThink is a specialist digital marketing company based in San Francisco. We focus on media buying, Facebook marketing, direct response, social and mobile. In addition mThink produces the annual Blue Book Rankings of major performance marketing networks.
Read More »